Bug 997688
| Summary: | firewalld not respecting zones bound to interfaces | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nicholas Schuetz <nick> |
| Component: | firewalld | Assignee: | Thomas Woerner <twoerner> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 19 | CC: | codronm+circlecode, jpopelka, ksugawar, twoerner |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-05-12 10:30:57 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Attachments: | |||
|
Description
Nicholas Schuetz
2013-08-16 02:42:39 UTC
on that last commend i meant 'interface' instead of 'port'. Also, i forgot to paste the version of the installed firewalld package. firewalld-0.3.4-1.fc19.noarch Let me add a me-too here. I've been seeing the same thing on Fedora 20 as well. I'm surprised noone else's filed this, not to mention this BUG has been left unassigned for such a long time. kernel-3.14.2-200.fc20.x86_64 firewalld-0.3.9.3-1.fc20.noarch The problem described by Nicholas looks like a regression I introduced in firewalld-0.3.4 and which should have been fixed [1] in firewalld-0.3.9.3. Ken, I need to see more information, like output of: # firewall-cmd --list-all-zones # iptables-save [1] https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=b2b5b88c56feffe09ddacf5ed348bc587f84160c Jiri, I can confirm that this is fixed in the current version (firewalld-0.3.9.3). Created attachment 893502 [details]
/etc/firewalld/zones/internal.xml config file
Created attachment 893503 [details]
/etc/firewalld/zones/public.xml config file
Created attachment 893504 [details]
output of firewall-cmd --list-all-zones command
Created attachment 893505 [details]
output of iptables-save command
(In reply to Jiri Popelka from comment #3) > Ken, I need to see more information, like output of: > # firewall-cmd --list-all-zones > # iptables-save Jiri, Please see my attachments. Note that, although internal.xml has the following two lines, firewall-cmd --list-all-zones lists these interfaces in the public zone: <interface name="p4p1"/> <interface name="br0"/> I can work around this issue by changing the default zone to internal instead of public. Thanks, Ken Are the "p4p1" and "br0" interfaces NetworkManager (NM) managed, i.e. can you see them in 'nmcli connection show' ? If yes then NM has the last word in which zone the interface belongs and it overrules the <interface name="abc"> in <zone>.xml. In that case you set the zone in NM GUI in General tab or add [1] ZONE='internal' into /etc/sysconfig/network-scripts/ifcfg-p4p1 The <interface> tag was AFAIR added so one can specify zone also for non-NM managed interfaces. BTW: I've just realized that [2] doesn't work anymore, I need to ask somebody how to do it now. [1] http://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/sec-Add_Interface_to_a_Zone-edit-config.html [2] http://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/sec-View_the_firewall_settings_using_NM_CLI.html (In reply to Jiri Popelka from comment #10) > Are the "p4p1" and "br0" interfaces NetworkManager (NM) managed, i.e. can > you see them in 'nmcli connection show' ? Yup: $ nmcli connection show NAME UUID TYPE TIMESTAMP-REAL br0 d2d68553-f97e-7549-7a26-b34a26f29318 bridge Mon May 12 14:30:13 2014 p4p1 b41d65ff-0296-461a-8017-b4911ce51010 802-3-ethernet Mon May 12 14:30:13 2014 > If yes then NM has the last word in which zone the interface belongs and it > overrules the <interface name="abc"> in <zone>.xml. Hm, but I don't think it makes much sense since if I change DefaultZone (/etc/firewalld/firewalld.conf) to "internal", it makes the interfaces belong to the "internal" zone. If NetworkManager was the one changing zones of these interfaces, it won't make any difference, don't you think? > In that case you set the zone in NM GUI in General tab or add [1] > ZONE='internal' into /etc/sysconfig/network-scripts/ifcfg-p4p1 Will try. Right now, neither of ifcfg-{p4p1,br0} has ZONE= line. > The <interface> tag was AFAIR added so one can specify zone also for non-NM > managed interfaces. Thanks. I will remember this. Ken (In reply to Ken Sugawara from comment #11) > > In that case you set the zone in NM GUI in General tab or add [1] > > ZONE='internal' into /etc/sysconfig/network-scripts/ifcfg-p4p1 > > Will try. Right now, neither of ifcfg-{p4p1,br0} has ZONE= line. I added ZONE=internal to ifcfg-* files, reverted firewalld.conf's DefaultZone back to public, and rebooted. The p4p1 and br0 interfaces are in the "internal" zone now. > > The <interface> tag was AFAIR added so one can specify zone also for non-NM > > managed interfaces. > > Thanks. I will remember this. I guess this was the crux of the biscuit in the end... Thanks, Ken Thanks, I'm closing this ticket as the original Nicholas' problem has been fixed in 0.3.9.3 and yours is notabug. (In reply to Jiri Popelka from comment #10) > BTW: I've just realized that [2] doesn't work anymore, I need to ask > somebody how to do it now. > > [2] > http://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/sec- > View_the_firewall_settings_using_NM_CLI.html 'nmcli -f all con status' is now 'nmcli -f all con show active' |